Alias /timeline "/home/myusraccount/timeline" AllowOverride All Options Indexes order allow,deny Allow from allAny work from here on out could be tossed in /home/myusraccount/timeline/. While this is convenient, this posed a slight problem. The form I had created to give me an easy way to add events to my timeline posts its information to be handled by my python cgi script. This script gets effectively run as the "apache" user, and selinux has a slight problem allowing the apache user modify files inside /home/myusraccount/timeline.
First I changed the owner of the relevant file and the timeline directory file to the apache user. No luck.
I then tried to add apache and myusraccount to the same group, giving the group full permissions of the file and directory being touched by the cgi script. No luck.
For random kicks, I turned off selinux. That did the trick. Turning it back on, I tried to change the context of the files and directories myself, but couldn't get anything to work for the life of me. My mentors in the fossbox showed me a nifty tool, audit2allow, which allows users to generate allow rulesets for specific operations. This tool parses the logs for denied permissions messages, and can automatically generate exceptions to them. Basically do what you want to do, watch it fail, run audit2allow, and apply a rule. Of course, you'll want to be careful with the rule you do apply, since selinux could very well be protecting your machine from a big security risk.
No comments:
Post a Comment